Configuring OpenVPN authentication against LDAP (configured on Centos 5.8)

There is a possibility to configure OpenVPN server to authenticate users with additional login/password prompt.
This can be used as an only user verification method or in additional to either standard pre-shared keys or certificates exchange configurations.

We were using certificate authentication method in our company for a long time waiting to have LDAP configured which would allow us to add another security by authenticating users with their LDAP login and password.

Password authentication for VPN is actually very easy to configure.
We decided to use PAM plugin as an user authentication method, so we added this line to configuration file on VPN server:

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

This tells the server to authenticate all users against PAM module openvpn.
Now, we configure PAM module in a way it uses LDAP as a primary source of user logins and passwords.
This is working configuration in /etc/pam.d/openvpn file:

auth sufficient pam_ldap.so config=/etc/ldap_openvpn.conf
auth required pam_deny.s

account required pam_ldap.so config=/etc/ldap_openvpn.conf
account required pam_permit.so

PAM uses pam_ldap module to access data in LDAP while it stores its configuration in the /etc/ldap.conf by default.
But because we use pam_ldap authentication also for ssh/su and other local services having pam_ldap configuration in default /etc/ldap.conf file we would like to use own configuration file just for openvpn PAM module (/etc/pam.d/openvpn). This is done by specifying config=/etc/ldap_openvpn.conf as an argument for pam_ldap.so.

Now we configure pam_ldap for openvpn authentication in /etc/ldap_openvpn.conf:

host ldapserver.example.com
base dc=example,dc=com
binddn cn=pam_ldap,ou=systemusers,ou=users,dc=example,dc=com
bindpw secret
scope one
timelimit 5
bind_timelimit 2
bind_policy soft
idle_timelimit 6

pam_filter |(objectClass=inetOrgPerson)
pam_login_attribute uid

pam_groupdn cn=openvpn_users,ou=groups,dc=example,dc=com
pam_member_attribute uniqueMember

pam_min_uid 1000
pam_max_uid 2000
pam_password exop

nss_base_passwd ou=users,dc=example,dc=com
nss_base_shadow ou=users,dc=example,dc=com
nss_base_group ou=groups,dc=example,dc=com

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl start_tls
tls_checkpeer no

As you can see we are using pam_groupdn attribute to let in users in a specific group only. This wouldn’t be possible if we had a single /etc/ldap.conf for openvpn (/etc/pam.d/openvpn) and other (eg /etc/pam.d/ssh or su) pam modules as we likely do not desire to check whether ssh users belong to openvpn specific group. So that’s where specifying different config= parameters for different PAM modules comes in handy.

Posted in Server administration

One Response to “Configuring OpenVPN authentication against LDAP (configured on Centos 5.8)”


Leave a Reply